metaads
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill documentation mentions the use of
uv, a Python package installer. Automated scans identified a remote script download fromastral.sh(curl -LsSf https://astral.sh/uv/install.sh | sh). Whileastral.shis a reputable source for Python tooling, piped execution of remote scripts is generally a security risk. In this context, it is downgraded to LOW as it is part of the prerequisite environment setup for the developer toolset. - COMMAND_EXECUTION (SAFE): The skill makes extensive use of
uv runto execute local Python scripts (Analytics.py,Publish.py). This is the intended behavior of the skill for managing ads and does not appear to involve arbitrary command injection from untrusted inputs. - DATA_EXFILTRATION (SAFE): The skill accesses sensitive credentials (
META_ADS_ACCESS_TOKEN,META_ADS_ACCOUNT_ID) from a.envfile. This is necessary for interaction with the Meta Ads API. There is no evidence of these tokens being sent to unauthorized third-party domains; they are only used for legitimate API calls to Meta. - PROMPT_INJECTION (LOW): The
PublishCampaign.mdworkflow (Step 3) ingest user-provided data (headlines, primary texts, campaign names) to build a JSON configuration. While this presents a surface for indirect prompt injection, the data is primarily used for ad content and structured API calls rather than driving agent logic, posing a low risk.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata